Aled, On 6 December 2016 at 11:20, Aled Sage <[email protected]> wrote:
> > *gpg: WARNING: This key is not certified with a trusted signature* Do we > need to worry about that? Do I need to import more keys into my chain of > trust? > (Note that the script had previously executed `curl > https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg --import`). > GPG is simply telling you that the "trusted" bit is not set on the copy of Svet's key *that is in your keyring*. The key has been imported (so you don't need to import anything else) but by default GPG won't trust the key. You can tell GPG that you do trust that key really does belong to Svet and then the warning would go away. (Ideally you would use some "real world" verification before telling GPG to trust the key.) Of course, my description is a gross oversimplification of the "web of trust" system. So this is not a problem with the release process, artifacts or Svet's key - merely the way your own GPG is configured. Richard.
